Overview
overview
6Static
static
1URLScan
urlscan
1https://www.roblox.c...
windows11-21h2-x64
https://www.roblox.c...
windows7-x64
3https://www.roblox.c...
windows10-2004-x64
3https://www.roblox.c...
windows10-ltsc 2021-x64
4https://www.roblox.c...
windows11-21h2-x64
3https://www.roblox.c...
android-9-x86
1https://www.roblox.c...
android-10-x64
1https://www.roblox.c...
android-11-x64
1https://www.roblox.c...
android-13-x64
1https://www.roblox.c...
android-9-x86
1https://www.roblox.c...
macos-10.15-amd64
4https://www.roblox.c...
macos-10.15-amd64
4https://www.roblox.c...
ubuntu-24.04-amd64
6https://www.roblox.c...
debian-12-armhf
https://www.roblox.c...
debian-12-mipsel
https://www.roblox.c...
debian-9-armhf
https://www.roblox.c...
debian-9-mips
https://www.roblox.c...
debian-9-mipsel
https://www.roblox.c...
ubuntu-18.04-amd64
3https://www.roblox.c...
ubuntu-20.04-amd64
4https://www.roblox.c...
ubuntu-22.04-amd64
3https://www.roblox.c...
ubuntu-24.04-amd64
6Analysis
-
max time kernel
92s -
max time network
97s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
23/11/2024, 18:16
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.roblox.com/home
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
https://www.roblox.com/home
Resource
win7-20241010-en
Behavioral task
behavioral3
Sample
https://www.roblox.com/home
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
https://www.roblox.com/home
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral5
Sample
https://www.roblox.com/home
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
https://www.roblox.com/home
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral7
Sample
https://www.roblox.com/home
Resource
android-x64-20240910-en
Behavioral task
behavioral8
Sample
https://www.roblox.com/home
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral9
Sample
https://www.roblox.com/home
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral10
Sample
https://www.roblox.com/home
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral11
Sample
https://www.roblox.com/home
Resource
macos-20241101-en
Behavioral task
behavioral12
Sample
https://www.roblox.com/home
Resource
macos-20241106-en
Behavioral task
behavioral13
Sample
https://www.roblox.com/home
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral14
Sample
https://www.roblox.com/home
Resource
debian12-armhf-20240729-en
Behavioral task
behavioral15
Sample
https://www.roblox.com/home
Resource
debian12-mipsel-20240221-en
Behavioral task
behavioral16
Sample
https://www.roblox.com/home
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral17
Sample
https://www.roblox.com/home
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral18
Sample
https://www.roblox.com/home
Resource
debian9-mipsel-20240418-en
Behavioral task
behavioral19
Sample
https://www.roblox.com/home
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral20
Sample
https://www.roblox.com/home
Resource
ubuntu2004-amd64-20240611-en
Behavioral task
behavioral21
Sample
https://www.roblox.com/home
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral22
Sample
https://www.roblox.com/home
Resource
ubuntu2404-amd64-20240523-en
Errors
General
-
Target
https://www.roblox.com/home
Malware Config
Signatures
-
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "179" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4212 msedge.exe 4212 msedge.exe 3492 msedge.exe 3492 msedge.exe 2248 msedge.exe 2248 msedge.exe 2780 identity_helper.exe 2780 identity_helper.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 680 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
pid Process 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe 3492 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5520 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3492 wrote to memory of 4632 3492 msedge.exe 79 PID 3492 wrote to memory of 4632 3492 msedge.exe 79 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 3756 3492 msedge.exe 80 PID 3492 wrote to memory of 4212 3492 msedge.exe 81 PID 3492 wrote to memory of 4212 3492 msedge.exe 81 PID 3492 wrote to memory of 3644 3492 msedge.exe 82 PID 3492 wrote to memory of 3644 3492 msedge.exe 82 PID 3492 wrote to memory of 3644 3492 msedge.exe 82 PID 3492 wrote to memory of 3644 3492 msedge.exe 82 PID 3492 wrote to memory of 3644 3492 msedge.exe 82 PID 3492 wrote to memory of 3644 3492 msedge.exe 82 PID 3492 wrote to memory of 3644 3492 msedge.exe 82 PID 3492 wrote to memory of 3644 3492 msedge.exe 82 PID 3492 wrote to memory of 3644 3492 msedge.exe 82 PID 3492 wrote to memory of 3644 3492 msedge.exe 82 PID 3492 wrote to memory of 3644 3492 msedge.exe 82 PID 3492 wrote to memory of 3644 3492 msedge.exe 82 PID 3492 wrote to memory of 3644 3492 msedge.exe 82 PID 3492 wrote to memory of 3644 3492 msedge.exe 82 PID 3492 wrote to memory of 3644 3492 msedge.exe 82 PID 3492 wrote to memory of 3644 3492 msedge.exe 82 PID 3492 wrote to memory of 3644 3492 msedge.exe 82 PID 3492 wrote to memory of 3644 3492 msedge.exe 82 PID 3492 wrote to memory of 3644 3492 msedge.exe 82 PID 3492 wrote to memory of 3644 3492 msedge.exe 82
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.roblox.com/home1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff88c5c3cb8,0x7ff88c5c3cc8,0x7ff88c5c3cd82⤵PID:4632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1804,13325434863452154903,18415159450069920717,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1840 /prefetch:22⤵PID:3756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1804,13325434863452154903,18415159450069920717,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1804,13325434863452154903,18415159450069920717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:82⤵PID:3644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,13325434863452154903,18415159450069920717,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:3112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,13325434863452154903,18415159450069920717,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:2564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,13325434863452154903,18415159450069920717,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:12⤵PID:1104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1804,13325434863452154903,18415159450069920717,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1804,13325434863452154903,18415159450069920717,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,13325434863452154903,18415159450069920717,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:12⤵PID:2588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,13325434863452154903,18415159450069920717,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵PID:4972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,13325434863452154903,18415159450069920717,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:12⤵PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,13325434863452154903,18415159450069920717,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:12⤵PID:2116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,13325434863452154903,18415159450069920717,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:12⤵PID:916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,13325434863452154903,18415159450069920717,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:12⤵PID:1476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,13325434863452154903,18415159450069920717,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:12⤵PID:3948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,13325434863452154903,18415159450069920717,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:12⤵PID:4468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,13325434863452154903,18415159450069920717,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:12⤵PID:3916
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3496
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:4972
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:5304
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:5312
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:5360
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:3120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://www.bing.com/search?q=Lock%20your%20Windows%20PC%20automatically%20in%20Windows%2011&form=B00032&ocid=SettingsHAQ-BingIA&mkt=en-US1⤵PID:1796
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff88c5c3cb8,0x7ff88c5c3cc8,0x7ff88c5c3cd82⤵PID:5484
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a33055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5826c7cac03e3ae47bfe2a7e50281605e
SHA1100fbea3e078edec43db48c3312fbbf83f11fca0
SHA256239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab
SHA512a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e
-
Filesize
152B
MD502a4b762e84a74f9ee8a7d8ddd34fedb
SHA14a870e3bd7fd56235062789d780610f95e3b8785
SHA256366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da
SHA51219028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD55eed4d7edb5039abd81d828097c02d4e
SHA1feaa588b1d9d29e928af31cdf8ca96d42857989c
SHA256b701111d6f61a29faccee1c6d30d5b690f3433aa1137003d3454523ef6ad92de
SHA5128278c109268a15bae667929b6d4cd9225bbba9a59b4dde40e3a6a619685399fa5e3992ee167fc4d24f59526eccb352585e7feeea84338ad443f47d5f11863e0f
-
Filesize
621B
MD59f56f7be11bec618416d6ae3bb101d2a
SHA1bfdb210006502b387002807cd389ec0e037d04c2
SHA256f85f753600879cf903d1ee54797d80553766e8d4f87a50db6521f858b7ba386a
SHA51298e147c0ce4384603838cd0a4825a970663ba4ca679f3819eae6c1e6ef3e0ce43af95e8c02a0af5ab2c7de0841ed73509efd4061fbd9dbc074ed31c406b50a91
-
Filesize
6KB
MD5fd748aab86d7d370cccc4133ecb1d4cd
SHA165b9dbcb574b93aebe5ef26b6ef54e522da5e2ff
SHA2564ac16744b3ea568b58157e2c6134436f39d5647c19cd03c1fb3710f13ffc833d
SHA51209881f04cbfff8245675c9281dc87a52fb22d5140a767078b87ce626463766e69423b2aaf29d183d0f3d481be78be570a04f531e2f8f5d436b89307278e2d792
-
Filesize
6KB
MD540027b1baaa8a45462ed49424f06f3e4
SHA1e198cdb880c46aac63b68bde298eec4adc60be85
SHA2560cfd24252859a3863f9a867f78238b94d3ed9a616ef2dfb587abba36d56f538a
SHA512b73f2ca6c8ac3fbdf6e2140cf0a0b06ff15463ebf4c908fa37d567bcbd3793308635037059a28a8d71cfba833cd9d94e70dc17d571ce58fc72a2ee78cf529cbb
-
Filesize
5KB
MD5fef9420d05d369d544401382d65f0c65
SHA1f21f870018b39401912d87404c95a00ce0db33f8
SHA2567dd0e068e0cf4a1cfc3a7814bdb79a2545031398217734820a8dbd16a0223156
SHA5122f955f85248ecbc1e0035182187e95e5f907c96acd68fe5db35bb7df5cde5238f4f44bd12348c547ab7a860569a193652df1de6dc99a1ba392d8c71347a3c40d
-
Filesize
1KB
MD58fcc7e8752bab6a68dffba23dde7b567
SHA128723f990013d1000a44ecc84c6e73f78471fc98
SHA256b4f988d2766fdca847efef2a070c9c6838f2cbe4d5e54e72d9434ebc05643e5d
SHA5129a098a341ef17e3c78245ec93201534b04b5a169a15e0e1738270581e9ca9dcae98a754dea74bed0a26c893aeaae64f576fc0271a66c3912cda95c632334c2d2
-
Filesize
1KB
MD5f9ad785b1f6bc847678a31350cbbb1ef
SHA189be3892646dbc56f20fa88bf7b82820859d48d4
SHA256e91a5f060b96d2ec93979223b147796baba67cd6ab3f20b551ed772b3cdd4734
SHA512dd53806022762377bb7f5a1d80d75e7ddd510c55f599b119e494d3d95957e475c0905400d48cc3870ac0f1b53e53c78353450cfd92330e346e5822bdbd7443d7
-
Filesize
1KB
MD597e7fbd73929932386094fd41d8eae42
SHA1c7786ff015fd4cd38e7fba5a46ec26bdb89d7cc0
SHA25625e36d090de4b7f81d89ca8f4152bc3a159b926ad9d89c01a6315bf6424792b4
SHA512e963718fb487f59f6b66f0becbfb55dc2d93959c98d6f77f7a4a2c3277a75bc6aad8f3ec83b229ace53155b140e26bcd987080584fc3d0fd67e64f76e42f78f2
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5f7e81e8ad8725f34be3c3dedde5bdeb0
SHA1964c576e92bcd00f1267417941e6036558eaa9fb
SHA2569b18e9d6fa83ea8a132932ee9f9422b067b49321dbd917274dd4b45d8d70a832
SHA51205cc7059fa29b9dde1c926c9286fa9e2fe191060412d77ff60355eddc99f9b2b1489bb50c55f1dfb92adf478a52fc5c6e2fee8c3f0582ef87e73b20d5daa2bf1
-
Filesize
11KB
MD5e49c6fd102ef34a90331b866c2b52293
SHA1db10de5e287dd7010f1f1e44452b78e57e9c6715
SHA2561b0acd86f5e9e8502a931fee1c47a869bc73b7fce3079753ee03b9a82a08af3c
SHA5127dfbe9c1e998a632109e1d1e6c56a5140fdd204d5c6269851d96a8fbc26636da4669e8311cc3c39b1ef164d475fed9b74548766b8db93c0df556585e3196ccce
-
Filesize
10KB
MD5c420c487d7cb7872185dc1826b4ec452
SHA1621e49c5eb0163eada1f7c812bd659804a0f1099
SHA25688ca5ae1acb2a15d3de8acfa92d4f193fae05748b45532ff1ccf40eaf616e47b
SHA51291a91c1c85cea18043c685639eb1f3b9620154dc73c2f8fe525af380b72d96484c4f0cbb7b34f41291f7a249250003bcdf785821ecdd120eabb63325924c20d9
-
Filesize
706B
MD5892f79123f0990c361ecc11701339504
SHA1301c2218029db917f7dfbb057df9c1590e1fae46
SHA256b5182206736f0f72a9a2e082824ab084d4580d81cbe65ede40f26e1728b226ae
SHA512a99a13a6a02b85e92aa1c191447e70eab552058dc634b24058a739d2987b82de0690396b3960b84a7498e4a1e8f7230064d3b4934efbfb84250e9bb44ab1c189
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\4fd23b89-1d8c-4a93-82eb-a24ad1411d47.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3